A lot of people have secrets/config files in the projects working directory but ignored by git i.e. `.env.local`
So they're following best practice, not committing secrets but agents running locally can still see them even if sandboxing to the working directory.
I've taken to storing configs using XDG_CONFIG_HOME and have the app auto resolve them by convention or take a cli arg to specify the config path. All secrets are in files, not env vars.
That way when using sandboxing the agent can never see the configs or secrets as outside the working directory.
alt Hacker News
A lot of people have secrets/config files in the projects working directory but ignored by git i.e. `.env.local`
So they're following best practice, not committing secrets but agents running locally can still see them even if sandboxing to the working directory.
I've taken to storing configs using XDG_CONFIG_HOME and have the app auto resolve them by convention or take a cli arg to specify the config path. All secrets are in files, not env vars.
That way when using sandboxing the agent can never see the configs or secrets as outside the working directory.